At a security conference, SecTor, Google malware researcher gave a rare peek inside the massive amounts of efforts of Google’s anti-malware and anti-phishing technologies. Google showcased stories of  the attackers who make it their business to infect sites and exploit users. And what makes it worse is that users are adapting these blackhat/unethical tactics very quickly and creatively to combat the efforts of Google and other Internet giants.

The search giant has deployed a number of services and technologies recently that are designed to identify phishing sites as well as sites serving malware and prevent users from finding them. Among the biggest tools, the most powerful, yet simple, is Google SafeBrowsing API.

Safebrowsing API enables client applications to check URLs against Google’s constantly updated blacklists of suspected phishing and malware pages. The client application can use the API to download an encrypted table for local, client-side lookups of URLs that everyone would like to check.

• Warn users before clicking on links that appear in site when they lead to malware-infested pages.
• Prevent users from posting links to phishing pages from your site.
• Check a list of pages against Google’s lists of suspected phishing and malware pages.

These services  help site owners and network administrators find and eliminate malware and the attendant bugs from their sites.

As Google crawls through the web, it identifies malware-distribution sites as well as legitimate sites that have been compromised with injected malicious code. One of the major reasons of adoption of such methodologies is to gain back-links by infecting relatively higher PageRank websites, in order to gain more traffic from search engines.

Malware-distribution sites are regualrly being watched by Google. Google has invested in a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs. The data hence gathered is then tied up with that of automated crawlers which look for “malicious code” on “legitimate Web sites”. The combiantion of the two gives them full confidence in identifying the culprits.

Fabrice Jaubert, of Google’s anti-malware team, said, “the company does pretty well on identifying malware sites, fast enough.  Still, about 1.5 percent of all search result pages on Google include links to at least one malware-distribution site”.

“There’s a lot of fluctuation in that over time, and that could be due to a lot of factors. It could be due to a change in the pages, it could be a change in our detection rate and also in the popularity of the infected pages,” Jaubert said. “The biggest factor is that we’ve found a substantial number of malware pages are spammy and have no content. We remove those pages. But it’s a cat-and-mouse game, just like viruses and AV. We go and find bad pages and they get better at hiding them.”

Source of Malware distribution

Its difficult to identify the source of a malware, however prevention helps everyone.

A major cause of this infection and distribution ecosystem is the huge population of unpatched Web servers having known vulnerabilites waiting to be exploited by various code injections.

Malicious code is often hidden in  web markup components, and the most favorite one is the iFrames. Such code injections redirects users to another site where malware is installed on the victim’s machine via a drive-by download, or one of the other popular ways.

With time, these malware distributors are getting smarter and have changed their tactics for their own good. Among ewer methods, instead of redirecting,  these malicious codes of iframes attempt on loading the malware on the compromised legitimate site and using the same site for malware distribution as well.

On a  good front, its relatively easier to identify malware-infected, malware-distribution pages , making web-malware easier to tackle.

But that doesn’t mean that there is an end to web-malware. Despite all the efforts there’s a large set of secrets of web malware that are in the dark even for companies like google.  Like Jaubert says ”We don’t understand all the details of this. We focus on the technical. There’s monetization aspects that we don’t have visibility into.”

We write about Latest in tech, Google,  iPhone, Gadgets, Open Source, Programming. Grab them all @taranfx on Twitter or below:

Because of this civilized censorship, the browsing experience is different in china than the rest of the world. Let’s discuss How Chinese internet is different from the world!

1. Due to congestion on China’s backbone networks and the time it takes for communications to travel across undersea cables to the United States and Europe, travelers find a noticeable difference in the responsiveness of the Internet in China compared to the rest of the world.
2. The Chinese government uses four mechanisms — DNS blocking, reset commands, URL keyword blocking and content scanning — to prevent Internet users in the country from reaching blacklisted Web sites or content.
3. Chinese authorities monitor all the Internet traffic coming in and out of the country using mirroring routers designed for back-up and disaster recovery operations. These routers are hooked up to computers that scan for forbidden information.
4. If the Chinese government finds that a user has downloaded forbidden content, it breaks the connection and prohibits the user from establishing communications with the site. These blackouts can last anywhere from two minutes to an hour.
5. The Chinese government is believed to employ tens of thousands of censors who monitor bloggers and delete offensive or subversive material. These censors require ISPs and other Internet companies to stop posting articles, forums and blogs about controversial subjects.
6. The Chinese government justifies its Internet monitoring efforts by telling the public that it is keeping online information “wholesome” and free of threats such as sexual predators. Online pornography is not as pervasive in China, and users are less likely to stumble upon it
7. Malicious activity — including phishing scams, bots and zombies — is less common in China than in the United States. China represented 7% of the Internet’s malicious activity, while the United States represented 31% during the second half of 2007. One rationale for the Chinese Internet monitoring system is to keep hackers at bay.
8. China produces 4% of the world’s spam, while the United States is the origin for 42% of all unsolicited e-mail. China decreased its spam volume by 131% in the second half of 2007, largely by reducing the number of bot-infested computers.
9. The China Next Generation Internet is an IPv6 backbone that the Chinese government is using as a testbed to develop IPv6 services, including distance learning and telemedicine. IPv6 is an upgrade to the Internet’s main communications protocol that features enough IP addresses for the Chinese population.
10. The Chinese top-level domain (.cn) had the fastest growth rate on the Internet in 2007. Sales of .cn domain names grew 399% in 2007. In contrast, the most common domains in the U.S. (.com and .net) grew 24% year over year.

The underlying technology that the Chinese use for Internet censorship, is studied by John Ritter, he explained it in a recent article titled “The Connection Has Been Reset.” Here are More Takeaways.

The Censorship & Delay

If you work from a Chinese Internet cafe – which is still where the vast majority of Chinese Internet activity happens, since so few people have connected computers in their own homes – you experience all of these blocking mechanisms as a matter of course. In some places, like schools, the blocking can be much cruder and indiscriminate. In several public schools the “connected” Internet computers were prevented from using any search engine whatsoever. It can be surprisingly hard to get around the Net if you can’t run any searches! In cafes and in most home connections, all the mechanisms would prevail.

In some hotels and other buildings that cater to Western visitors, the controls may be somewhat relaxed. The authorities don’t really care that much about what non-Chinese citizens are able to find. Still, travelers are not able to reach a wide variety of sites like Wikipedia or Technorati.

The concept of Matrix was once rejected by analysts. But today we feel with the kind of Technology advancements, it’s not far from I-M-Possible.

I started from the “Hacker” word to bring-out another advancement of an underworld. Normally, the Hacker word is used for both good and bad guys. I`ll refer mostly to bad guys.

Let’s start from this -

Late last year, the software engineers developing a new Windows-based networking client confronted an all-too-common problem in today’s hostile internet environment:

How would they make their software resistant to the legions of enemies waiting to attack it? Particularly worrisome was a key feature of their code, a mechanism to accept updates online. If it were subverted, an attacker could slip his own program into an installed base of millions of machines.
The coders decided to fortify their software with MIT’s brand-new, high-security cryptographic hashing algorithm called MD-6. It was an ambitious choice: MD-6 had been released just two months before, and hadn’t yet faced the rigors of real-life deployment. But things turned into nightmare and  the move seemed to backfire when a security hole was found in MD-6′s reference implementation – not long after the launch. But the coders rallied, and pushed out a corrected version in a new release of their software just weeks later.
It would be a model for secure software development, except for one detail: The “Windows-based networking client” in the example above is the B-variant of the spam-spewing Conficker worm; the corrected version is Conficker C, and the hard-working security-minded coders and software engineers? A criminal gang of anonymous malware writers, likely based in Ukraine. The very first real-world use of MD-6, an important new security algorithm, was by the bad guys.

The Future of hacking: Professional, Intellectual, Innovative, smart, and above-all Highly-funded. In the old days, hackers were mostly kids and college-age enthusiasts sowing their wild seeds before fertilizing the land.

Today, the best hackers have the skill and discipline of the best legitimate programmers and security gurus. They’re using mind-bending obfuscation techniques to deliver malicious code from hacked websites undetected. They’re writing malware for mobile phones and PDAs and even embedded devices from your STB to satellite mobile/GPS systems. The underground has even embraced the next-generation internet protocol IPv6 – setting up IPv6 chat rooms, file stores and websites hidden IPv6 tunnels unkonw to the world, even as legitimate adoption lags. Compare the contrast to rest of the commercial Service Providers/Enterprises, who still find it Challenging to deploy IPv6 due to potential Security leaks.

Ten years ago, an oft-repeated aphorism held that hackers were unskilled vandals: Just because they can break a window, doesn’t mean they could build one. Today’s bad guys could handcraft the broken glass it a living Monumental legend.

Money as a Catalyst: Computer criminals are scooping in millions through various scams and attacks. It is said that he best hackers are growing up in Russia and former Soviet satellite states, where there are fewer legitimate opportunities for smart coders.

“If you’re a sophisticated team of software developers, but you happen to be in Eastern Europe, what’s your way of raising a lot of money?” says Phillip Porras, the cyber threat expert at SRI International who dissected Conficker. “Maybe we’re dealing with business models that work for countries where it’s more difficult for them to sell mainstream software.”

Result – Hacking-As-A-Service – HaaS.

The Good

Want your new piece of product to be scanned for potential vulnerabilities, before launching commercially?

Pay them a fraction of chunk-of-money and they will hack and tear-apart your app within days. The Result- You get a stable and secure App, which will probably be less vulnerable to loopholes.

You may not be aware of this, but our Top secret and most secure systems like CIA and Military operations, either hire and/or contract industry’s smartest hackers to murder their security before the bad guys do it. That’s what makes them more secure than rest of the world.

“We need those guys who could make us feel unsafe today, so that we can foresee a safer future.” says a high Official Commissioner.

Ofcourse, there are other things that make them better than others, but this point is crucial.

The Bad

Want your custom code installed in a botnet of hacked machines? No Problemo!

It’ll cost you less than $25 for a 1,000 computers, $150 if you want them exclusively, says Uri Rivner, head of new technologies at security company RSA.

Today, an amateur can get a complete malware toolkit for $200 that has capability of making damages worth Millions. Story doesn’t en here, just like SaaS – Software as a service, you can rent Big Botnets for less than a grand that could take a Complete network of computers down and/or infect them to leave it in paralysis for several days. The damage is un-countable.

Or you can pay for a custom Trojan horse that will sneak past anti-virus software, or a toolkit that will let you craft your own.

“They actually have a testing lab where they test their malicious code against the latest anti-virus companies,” says Rivner, whose group closely monitors the underground. “While most computer criminals are thugs, the programmers and software entrepreneurs supplying them are scary-smart”.

Particularly disturbing to security experts is the speed with which the bad guys are jumping on newly disclosed vulnerabilities.

“Even one year ago, a lot of these web exploit toolkits were using vulnerabilities that had been discovered one or two years prior,” says Holly Stewart, Threat Response Manager at IBM’s X-Force. “They were really, really old…. That has really changed, especially this year. We’re seeing more and more current exploits go into these toolkits. And we’re seeing exploits come out that are even just a couple days after the vulnerability announcement.”

Whats even worse is, hackers are finding or purchasing their own vulnerabilities, called “zero day” exploits, for which no security patch exists. With real money to be had, there’s evidence that legitimate security workers are being tempted themselves. In April, federal prosecutors filed a misdemeanor conspiracy charge against security consultant Jeremy Jethro for allegedly selling a “zero day” Internet Explorer exploit to accused TJ Maxx hacker Albert Gonzales. The price tag: $60,000. It could take a lot of consulting gigs to make that kind of money performing penetration tests.
The change is being felt at every level of the cyber security world. When SRI’s Porras dug into the Conficker worm — which still controls an estimated 5 million machines, mostly in China and Brazil — the update mechanism initially baffled him and his team. “I know a lot of people stared at that segment of code and couldn’t figure out what it was,” he says. It wasn’t until crypto experts analyzed it that they realized it was MD-6, which at the time was available only from the websites of MIT and the U.S. National Institute of Standards and Technologies. Other portions of Conficker were equally impressive: the way it doggedly hunts for anti-virus software on a victim’s machine, and disables it; or the peer-to-peer mechanism. “There were points where it was pretty clear that certain major threads inside Conficker C seemed to be written by different people,” he says. “It left us feeling that we had a more organized team that brought different skills to bear… They aren’t people who have day jobs.”

Looking back, the first 20 years in the war between hackers and security defenders was pretty laid back for both sides. The hackers were tricky, sometimes even ingenious, but rarely organized. A wealthy anti-virus industry rose on the simple counter-measure of checking computer files for signatures of known attacks.

Everyday more and more rootkits and shocking vulnerabilities, thanks to good guys at BlackHat conferences, who make us aware of the Industry’ most dangerous stuff.

Hackers and security researchers mixed amiably at DefCon (World’s biggest Hacker’s conference) every year, seamlessly switching sides without anyone really caring. From now on, it’s serious. In the future, there won’t be many amateurs. It’s all professional and Official.

Antivirus software maker AVG has outlined plans to deliver malware protection for the iPhone by the end of 2010. I have two questions: 1. Is it needed?  and 2. Will it ruin the iPhone experience?

Smith from AVG product development said:

“I’d love to see it towards the end of next year, Really, it’s less about AV [and more to do with] protecting and stopping anything from getting on there, in real-time. [Malware creators] will use the Web to propagate on to these devices as much as they possibly can.”

Hmmm, I’m sure that anti-malware, ant-virus on the iPhone is a bad idea. Overall I’m just not convinced that the protection/performance trade off is worth it. Even if you ignore this fact, look at the more important point:

Is there a Need?

Look at the current Application strategy. All apps that exist in this world for iPhone come through our common gateway App Store (forget jailbroken apps for a minute). App Store is strict when it comes to policies, and proof is the BIG list of rejected apps, because of violations. It’s totally illogical to have antivirus int he current scenario.

For the Jailbroken world, since last 2 years, I haven’t seen any malware, virus application being produced.  May be iPhone developers haven’t yet thought of being destructive. They love the platform so much that they have no bad intentions for it. But future can bring bad stuff as the platform becomes more n more powerful. But Jailbreaking isn’t an Official thing. The day you do it, you lose your warranty, so Apple isn’t bothered about what happens to your OS after that.

Best thing for AVG would be to make it to App Store and be a must have for Jailbroken iPhones. Sounds Ironical, App Store solution to Jailbreaking, but it would be make more sense in the future.

The malware activity has been found on ATMs in Eastern European countries, and is likely to expand over to western europe aswell.

How it works? Step by Step
1. The malware records the magnetic stripe information on the back of a card as well as the PIN (Personal Identification Number), which would potentially allow criminals to clone the card in order to withdraw cash.

2. The collected card data, which is encrypted using the DES (Data Encryption Standard) algorithm, can be printed out by the ATM’s receipt printer.

3. The malware is controlled via a GUI that is displayed when a so-called “trigger card” is inserted into the machine by a criminal. The trigger card causes a small window to appear that gives its controller 10 seconds to pick one of 10 command options using the ATM’s keypad.

4. The criminal can then view the number of transactions, print card data, reboot the machine and even uninstall the malware. Another menu option appears to allow the ejection of an ATM’s cash cassette.

The malware contains advanced management functionality allowing the attacker to fully control the compromised ATM through a customized user interface built into the malware

Trustwave has collected multiple versions of the malware. The company believes that the particular one it analyzed is “a relatively early version of the malware and that subsequent versions have seen significant additions to its functionality.”

Precautions
The only precaution that banks can take at this moment is to properly seal ATMs so that there are no chances of eavesdropping. Also, existing ATMs should be scanned to see if they’re infected.

I’m sorry to say this but , as a end-user, there is a little you can do to know that ATM is infected.

- Look for Physical vulnerabilities of ATM

- Check if ATM machine is properly closed.

Banks, we need your support more than ever!